from the wait,-what's-the-problem-exactly? dept

For years now, we've discussed the ridiculousness of the COPPA law (the Children's Online Privacy Protection Act). The rallying cry of "protect the children!" quite frequently leads to very poor policy decisions, and COPPA (and the enforcement around it) is a perfect example of that. While there might possibly be good intentions behind the law, the practical reality is that it's a joke. It effectively places a much larger burden on any site that allows anyone under 13 to use the site. While, in practice, it's supposed to only apply to sites that are targeted to kids, in an attempt to avoid that, many sites put a blanket ban on those under 13. In our own terms of service we explicitly tell anyone under 13 not to register with our site. Our lawyers more or less insisted that we had to do this, and plenty of other sites do the same. So the end result is that kids under 13, who often should be using the internet, are told that they can't use large parts of the internet -- including sites that are useful to their education. But of course many of them still use the internet. They just lie about it. In fact, one researcher found that the only practical effect of the law is that it leads parents to teach their kids that it's okay to lie. Even worse, the FTC seems entirely unconcerned about the real impact of the law -- but prefers to insist that it's really protecting children, despite no actual evidence to support this. In fact, the FTC has even pushed to expand the law.

The FTC has now gone after its latest COPPA "violator": Yelp. According to the complaint filed against the company Yelp had the audacity to let kids under 13 register for its service via the company's iOS and Android apps. And then? Well, I assume that the very small number of kids who did so, used the app to *gasp* find reviews on restaurants and such things. The FTC complaint doesn't present any evidence of any actual harm here. Just the fact that it let a small number of kids register, and then didn't meet all the checkbox requirements of "protecting the children."

I'm honestly curious if the "consumer protection division" at the FTC thinks that kids would be better off if they were blocked from using Yelp entirely, or if they just think,"Aha, gotcha!" when they file these kinds of lawsuits?

from the reform-the-cfaa-now dept

We've been talking a lot lately about the need for serious reform of the Computer Fraud and Abuse Act (CFAA), which was initially supposed to be a law about malicious hacking, but has been used repeatedly by the DOJ and others to attack something so simple as a minor terms of service violation as a potential felony. While certain courts have rejected the DOJ's interpretation, that has not stopped the DOJ from claiming that its interpretation can be applied in other circuits. Even more bizarre is that, rather than fixing the law, Congress's most recent actions have suggested an interest in expanding the law even further, increasing the punishment levels for those the DOJ decides to go after.

The EFF has pointed out just how ridiculous it is to argue that violating a terms of service is a potential felony, noting how that even makes children who read online news sites potential felons for violating terms of service. This is, in part, due to another bad law that we've spoken about, the Children's Online Privacy Protection Act, or COPPA. The issue here is that online sites have stricter rules if they're seen as targeting children under the age of 13. To avoid this potential liability, many websites simply inserted a clause into their terms of service saying that you can only read the site if you're over 13 (some sites say 18 and others say between 13 and 18 need a parent's approval). While this is somewhat lazy lawyering on the part of those sites (to ban outright), those are their terms of service. And violating such terms violates the CFAA under the DOJ's interpretation.

The EFF notes that such age exclusion provisions are pretty common, and sites like the NY Times and NBC News bar children under 13 entirely.

This means that inquisitive 12-year-olds who visit NBCNews.com to learn about current events would be, by default, misrepresenting their ages. Again, this could be criminal under the DOJ's interpretation of the CFAA.

We’d like to say that we’re being facetious, but, unfortunately, the Justice Department has already demonstrated its willingness to pursue CFAA to absurd extremes. Luckily, the Ninth Circuit rejected the government’s arguments, concluding that, under such an ruling, millions of unsuspecting citizens would suddenly find themselves on the wrong side of the law. As Judge Alex Kozinski so aptly wrote: "Under the government’s proposed interpretation of the CFAA...describing yourself as 'tall, dark and handsome,' when you’re actually short and homely, will earn you a handsome orange jumpsuit."

And it’s no excuse to say that the vast majority of these cases will never be prosecuted. As the Ninth Circuit explained, “Ubiquitous, seldom-prosecuted crimes invite arbitrary and discriminatory enforcement.” Instead of pursuing only suspects of actual crimes, it opens the door for prosecutors to go after people because the government doesn’t like them.

Unfortunately, there’s no sign the Justice Department has given up on this interpretation outside the Ninth and Fourth Circuits, which is why the Professor Tim Wu in the New Yorker recently called the CFAA “the most outrageous criminal law you’ve never heard of.”

Then the Atlantic Wire helpfully jumped in and highlighted many other publications and their online terms of service, showing that young readers of many of today's most popular news sites are potentially breaking the law every time they do so under the DOJ's clearly stated position on the CFAA.

The EFF followed it up by pointing out that, until just recently, if you were a 17-year-old girl (or younger!) reading the magazine Seventeen online, you were almost certainly breaking the law under the DOJ's interpretation of the CFAA, since its terms restricted visitors to those 18 and older.

Rather than "trusting" the DOJ not to abuse this kind of thing, wouldn't we all be better off fixing it?

from the for-the-encouragement-of-lying dept

There are plenty of stories about children under the age of 13 having to lie (often with the assistance of their parents) to get on Facebook. This is due to the ridiculous COPPA law that the FTC supports strongly, despite it doing close to nothing to actually "protect children." But what's the excuse for people lying at the other end of the scale? A 104 years old woman is forced to be perpetually 99 years old because Facebook apparently refuses ages higher than that. It makes you wonder if they just never thought someone with three digits in their age would use the service and only set up the database to handle two digits. Oddly, rather than defaulting down to 99 years old when Marguerite Joseph tried to enter her birth year of 1908, the system automatically took 20 years off her life and said she was born in 1928. Either way, just as parents are helping children lie about their age at the youth end of the spectrum, in this case, it's Marguerite's granddaughter who's the accomplice here, since Marguerite is legally blind, but still likes to keep in touch with people via Facebook.

from the picking-on-the-headline-winners dept

So, the FTC got some press today for announcing a high profile "settlement" with social networking startup Path. You might think that this is entirely about the news that came out a year ago, about Path uploading entire user address books to its server. If you don't recall, that story got a lot of press coverage. Basically, Path, like tons of social networks and mobile apps, had a feature which was "see if your existing friends already use this app and connect to them." But, to do that, it needed to know who your friends are. The process it used to do this was to upload your address book in the background and then compare it to their user base. This was, certainly, a somewhat questionable practice on privacy grounds, but it was something that lots of companies did, because it was a simple way to use the "find your friends" feature.

Of course, as soon as the story about Path went viral, most companies who were doing this very, very quickly dropped the practice, and figured out other, less privacy-invasive ways to connect you to your friends. That's a good thing. So, does the company need to be punished? It seems like negative publicity and the market took care of everything.

Well... if you look at the details of the Path "settlement," it wasn't even really about that issue at all. Yes, Path agreed to have outside privacy audits for the next 20 years (which is the FTC's go to "punishment" plan), but the hyped up $800,000 payment actually had nothing whatsoever to do with the uploading address books. Instead, it dealt with a different issue. During the investigation, the FTC also found that Path likely violated COPPA, the silly and misguided law that basically means most sites put in their terms that they don't allow anyone under 13 to use it. Of course, in practice this has significant unintended consequences, including not letting perfectly reasonable services be available to kids and (more likely) parents teaching their kids to lie about their age.

It turned out that for a brief period of time, Path did not exactly follow the COPPA rules, and actually let a few thousand kids under the age of 13 sign up. So, they may have violated the rule. But... Path had discovered and fixed this well before the FTC investigation began. The company claims it was just an oversight that their system did not automatically reject users under the age of 13.

So... the company made a mistake, caught it and fixed it, without having the FTC get involved at all. And there's no evidence, at all, that it misused the data it collected here. And yet it needs to pay $800,000? Why? For a big company, $800,000 may be small beans, but for a startup, that's significant money.

Oh, and even more bizarre: as noted earlier, lots of companies did similar things to Path, but the FTC only went after Path. When asked why they only went after Path, outgoing FTC boss Jon Leibowitz gave a non-answer, saying that they're just a small agency and so they have to "pick and choose which malefactors you want to go after." So they chose the one most likely to create headlines -- and forced them to cough up $800,000 over a "violation" that was the result of an accident, which the company had already discovered and fixed, and for which no abuse was found. That doesn't seem like good policy. It seems like vindictive choices by the FTC focused on the maximum potential to create headlines, rather than actually protect people's privacy.

from the we-don't-need-the-ftc-to-act-as-our-parents dept

Earlier this year, we were reasonably worried about the FTC's plan to expand COPPA. COPPA -- the Childrens Online Privacy Protection Act -- is one of those laws that appears to have the best of intentions. Who doesn't want to protect the privacy of children, right? But as with so many things, the unintended consequences of overprotection often outweigh the benefits. In practice, the existing COPPA, which puts significant additional burdens on sites that target children under 13, has meant that lots of websites simply ban children under 13 entirely. The end result isn't that children under 13 are more protected, but that parents teach their kids it's okay to lie and to sign up for sites when they're "underage." At the same time, this drives away lots of services that could be really helpful to children -- especially educational sites.

And yet... the FTC wants to expand COPPA, rather than fix its problems. While the new proposals are not as bad as some ideas that had originally been floated, there are still some significant problems with them. As CDT notes, the unintended consequences of the broad definitions could raise significant First Amendment issues:

...we are concerned that the updated definition of when a website is “directed to children” could expand COPPA's reach to general audience sites and confuse website owners as to whether these new rules apply to them. This uncertainty will likely prompt more sites to take advantage of the Commission’s new age-screening safe harbor, which could lead to many more sites demanding age or identifying information from all users before allowing access. Requiring age verification from every user runs counter to the First Amendment right to access information anonymously and increases the collection of potentially sensitive information generally. The new rule's uncertainty is magnified for third party plug-in operators, who may now be liable for the decisions of publishers to embed their plug-in on sites directed to children

To start, by deeming persistent identifiers as personal information per se, the FTC's new rule runs contrary to established U.S. privacy law: federal courts have unanimously decided that IP addresses do not allow the contacting of a specific individual.

Further, as Commissioner Ohlhausen's dissent notes, the COPPA statute does not allow the FTC to impose liability on sites that do not collect children's information merely because the operator may somehow benefit from an ad network or plug-in operator collecting information—provided the third party neither targets children nor shares information with the site operator.

If a third party becomes liable once a single employee "recognizes the child-directed nature" of a website—whatever that means—COPPA will become the worst kind of notice-and-takedown system: Would a single complaint—or tweet—from a parent or activist group create "knowledge?" Faced with the impossible task of predicting how the FTC might characterize each of the millions of sites on which ads or plug-ins might appear, operators will have to try to block advertising or plug-ins on sites that appears to be child-oriented. If they can't do that effectively, this potential liability may effectively kill behavioral advertising on any site that can't prove it isn't child-oriented—in other words, on small sites.

Thus, COPPA will now impact adult sites, denying publishers revenue and adult users the functionality that is increasingly provided by embeds. Thus, the FTC invites not only a statutory challenge but also a constitutional challenge similar to that which led the Child Online Protection Act (COPA) to be struck down.

Yesterday, the U.S. Federal Trade Commission (the FTC) promulgated new rules (effectively July 1, 2013) interpreting the Children’s Online Privacy Protection Act (COPPA), and the new rules are a real mess. They are riddled with innumerable ambiguities and questionable policy choices, and I could spend a decade or two trying to figure out how the new rules apply to different factual situations.

That's not a good thing -- unless you're a lawyer. As he notes, once again, the intentions may have been good, but the implementation is a disaster:

The FTC wanted to crack down on these COPPA workarounds, but in typical FTC fashion, it did so in a ham-fisted and marble-mouthed way.

Basically, we're talking about the usual "unintended consequences" of going overboard in trying to "protect the children!" It's a noble goal, obviously. But, speaking as a parent as well as someone who's aware of how these kinds of rules tend to limit innovation, I'd much prefer that the FTC actually stay out of the parenting business and leave that to me.

from the well-meaning,-but-bad-policy dept

We've written a few times about the Childrens Online Privacy Protection Act (COPPA) and how it was put in place without any data and without much concern for unintended consequences. As danah boyd has shown in her research, COPPA hasn't necessarily done much to protect children. Instead, it's made parents teach their kids it's okay to lie about their age. It's also why so many websites have seemingly arbitrary restrictions on kids under the age of 13. It's one of those "think of the children" laws that people want to like because it sounds good, and no one wants to support big businesses preying on children. But, the reality is that it has tremendous problems -- unintended consequences that limit various services -- and does little to actually protect children.

The FTC plans to put COPPA obligations on plugin developers if they “know or have reason to know” that their plugin has been installed on a children’s site. “Plugins” include analytics providers, advertising networks, social media plugins, embedded videos, or anyone else who provides third-party code for websites. Under the FTC's proposed change, if plugin developers receive a user’s IP address through a plugin that’s been installed on a children’s site, they could face legal liability for collecting children’s personal information.

It’s unclear how a plugin or platform like Twitter is supposed to “know or have reason to know” that someone has cut and pasted a line of their code into a children’s site. The FTC says that plugin developers “will not be free to ignore credible information brought to their attention.” But the FTC doesn’t say what counts as “credible.” Would developers have to assume every random e-mail is a credible tip that could saddle them with legal liability? Even if the FTC did provide clarity, though, it would still be extraordinarily burdensome to place legal obligations on plugin developers based on the actions of others.

The end result would almost certainly involve those companies putting a lot more limits on their apps, and create a huge cost (and potential liability) for all sorts of plugin and app writers. But there's an even bigger problem. While COPPA was clearly limited at sites directed at children, the FTC seems to think this wasn't enough, because other sites not directed at children might still attract children... and so they want this problematic rule to expand to sites who don't even cater to children:

Things get worse with the FTC’s second major proposal: expanding the scope of sites deemed “directed to children” from sites aimed primarily at a very young audience to include sites and services that are “likely to attract an audience that includes a disproportionately large percentage of children under 13 as compared to the percentage of such children in the general population.”

This convoluted standard raises a number of serious issues. Not only is it difficult for site operators to gauge what proportions of their audience fall into arbitrary age buckets, but the FTC also gives operators no sense of what it means for an audience to be “disproportionately” composed of children in comparison to the general population. If a site’s audience is 20 percent children, is it disproportionately composed of children? What about at 30 percent? It’s not clear from the language, and it won’t be clear to website operators trying to run their sites while staying within the bounds of the law.

In fact, as CDT notes, this change almost certainly will do the exact opposite of what the rule intends. That is, it will make sites feel they need to collect more data about who is accessing their sites to make sure that they know if their audience includes kids, in which case they'll have to take steps. But that means they'll be... collecting more data about kids -- which is exactly what COPPA is supposed to stop.

The FTC folks who support COPPA are certainly well meaning, but they seem to have little concern or interest about the real impact of the law and their specific rules around it, and how it not only fails to help protect children, but puts a serious damper on innovation as well.

from the they-lie-and-new-services-aren't-developed dept

A few months ago, we mentioned the ridiculousness of the the Children's Online Privacy Protection Act, which has strict rules for any sites that target services to children under the age of 13. It's one of those "for the children!" laws that are so popular with politicians, but which never seem to have any basis in evidence, and never seem to consider the unintended consequences. Under the law, as we noted, any site that wants to target kids has to meet certain very high standards, requiring permission from parents. In theory (and in a total vacuum) perhaps this sounds good. But the real impact is that very few sites look to create useful internet services for kids... and kids learn pretty early in their youth how to lie about their age online.

I asked Mamie Kresses, senior attorney for the FTCís Division of Advertising Practices, whether there had been any study about how truthful children are reporting their ages online. They have no such research, she said. I asked whether the FTC had any data about how often parents use the means of notice and consent COPPA provides. None, she said.

The most disturbing unintended consequence of the regulation, I think, is the chill it likely puts on serving children online. In the early days of the web, I started the Yuckiest Site on the Internet ó about goo, bugs, and science ó to serve young readers at the local news sites I ran. After COPPA, my employer decided the risk in serving young people and even inadvertently recording a childís name or targeting an ad was too great.

We donít know how many sites have not been started to serve children online. Isnít this the group we should be serving best? I asked Kresses whether the FTC had done research on the extent of a chill. No, she said.

Finally, I asked whether the FTC had revisited the reasons for COPPA. What harm are we trying to prevent by restricting identity online ó and is it effective? She responded with circular logic: They are giving parents the opportunity of notice and consent regarding childrenís information.

From there, he points out that we shouldn't base our entire policy on the assumption that the worst case scenario will happen to all kids. As he notes, kids are still kidnapped, but we still let them play outside. This doesn't mean we should let them run wild online -- just like we don't let kids run wild outside, either. But the rules, as set today, effectively say that children can only run outside in a few very inconvenient parks. We're overprotecting. And, as Jarvis notes, the ability to play online is important:

Children need to play online, too. They should create and get credit for their creativity. They should be able to establish a relationship with an educational site where they can track their own progress. Technology and the net donít just present danger; they afford opportunity. But by focusing only on the former, we can risk losing sight of the latter.

from the unintended-consequences dept

theodp writes

"In its tear-jerker 'Dear Sophie' Google Chrome ad, a father creates a Gmail account (dear.sophie.lee@gmail.com) for his just-born daughter to preserve memories of her childhood. So, how does that work out in real life? Not so good, at least in the case of 10-year-old Alex Sutherland, who the WSJ reports was reduced to tears after being notified that the Gmail account his father created on his behalf two years earlier would be deleted because the Google+ Profile Alex created triggered a Google Terms of Service age violation. 'You made my son cry, Google,' wrote blogger Martin Sutherland. 'I'm not inclined to forgive that.' Not to pile on, but Alex may also be persona non grata at Khan Academy, where learning under the age of 13 can also constitute a TOS violation."

To be fair, the "under 13" age issue is not something that should be blamed on Google, Khan Academy or any other site (and, really, if theodp wanted to be accurate, he could list most of the top sites on the internet, who all have this same restriction). It's (of course!) the result of poorly thought out legislation. Namely, the Children's Online Privacy Protection Act -- another one of these "for the children" laws that politicians love to pass without thinking about the unintended consequences. Here, as in many cases, the intentions may be good: to prevent websites from collecting too much info from children who don't quite recognize what they're doing, but the actual results are that most sites simply put in their terms of service that the site is not for people under 13, even if everyone assumes that those under 13 still use those sites.

Of course, even bringing up how silly this is can lead to backlash. When Mark Zuckerberg recently suggested that perhaps the law needed some rethinking to make it more reasonable for those under 13 to use useful parts of the internet, it was dubbed "controversial", and he had to clarify his remarks to make clear that he wasn't trying to get under 13 kids on the site any time soon.

Either way, it does seem silly for Google to put out a commercial in which a father creates an email address for someone under 13... when it's taking away accounts from others who do the same thing...